US10747881B1ActiveUtility
Using browser context in evasive web-based malware detection
Est. expirySep 15, 2037(~11.2 yrs left)· nominal 20-yr term from priority
G06F 21/566G06F 21/564H04L 67/02H04L 63/1491H04L 63/1433G06F 2009/45591G06F 2009/45587G06F 9/45558G06F 2209/541G06F 9/4881G06F 2209/542G06F 9/54G06F 16/955G06F 9/547
95
PatentIndex Score
17
Cited by
46
References
24
Claims
Abstract
The use of browser context in detecting malware is disclosed. A Uniform Resource Locator (URL) is received from a user and at a client device. The URL is used to request, at the client device, and from a remote server, content. At least a portion of data received from the remote server is provided by the client device to an external scanner. The external scanner is configured to use a browser executed in an instrumented virtual machine environment to analyze the data provided by the client device. A maliciousness verdict is received from the external scanner.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A system, comprising:
a processor configured to:
receive, from a user, and at a client device, a Uniform Resource Locator (URL);
use the URL to obtain, at the client device, and from a remote server, content, wherein the remote server is configured to provide a first version of the content when accessed by a client device, and wherein the remote server is configured to provide a second version of the content when accessed by an external scanner;
transmit to the external scanner for analysis by the external scanner, data comprising at least a portion of the content received by the client device from the remote server, wherein the external scanner is configured to use a browser executed in an instrumented virtual machine environment to analyze the data provided by the client device; and
receive, at the client device, a maliciousness verdict from the external scanner, and only in the event the maliciousness verdict is benign, allow the client device to render content from the remote server at the client device; and
a memory coupled to the processor and configured to provide the processor with instructions.
2. The system of claim 1 wherein the processor is further configured to receive, from the external scanner, a request that the client device obtain additional data from the remote server.
3. The system of claim 1 wherein the client device is further configured to act as a proxy on behalf of the external scanner.
4. The system of claim 1 wherein the processor is configured to request the content from the remote server using a browser extension configured to retrieve data and provide it to the external scanner without rendering the retrieved data.
5. The system of claim 1 wherein, in response to receiving the maliciousness verdict, the processor is further configured to store the maliciousness verdict on the client device.
6. A method, comprising:
receiving, from a user, and at a client device, a Uniform Resource Locator (URL);
using the URL to obtain, at the client device, and from a remote server, content, wherein the remote server is configured to provide a first version of the content when accessed by a client device, and wherein the remote server is configured to provide a second version of the content when accessed by an external scanner;
transmitting to the external scanner for analysis by the external scanner, data comprising at least a portion of the content received by the client device from the remote server, wherein the external scanner is configured to use a browser executed in an instrumented virtual machine environment to analyze the data provided by the client device; and
receiving, at the client device, a maliciousness verdict from the external scanner, and only in the event the maliciousness verdict is benign, allowing the client device to render content from the remote server at the client device.
7. The method of claim 6 further comprising receiving, from the external scanner, a request that the client device obtain additional data from the remote server.
8. The method of claim 6 wherein the client device is configured to act as a proxy on behalf of the external scanner.
9. The method of claim 6 further comprising requesting the content from the remote server using a browser extension configured to retrieve data and provide it to the external scanner without rendering the retrieved data.
10. The method of claim 6 further comprising, in response to receiving the maliciousness verdict, storing the maliciousness verdict on the client device.
11. A system, comprising:
a processor configured to:
receive, at an external scanner, from a client device, data received by the client device from a remote server and in response to a request for content made by the client device to the remote server, wherein the remote server is configured to provide a first version of the content when accessed by the client device, and wherein the remote server is configured to provide a second version of the content when accessed by the external scanner;
analyze the data using a browser executed in an instrumented virtual machine environment;
determine a maliciousness verdict for a URL based at least in part on the analyzed data; and
provide the maliciousness verdict to the client device; and
a memory communication interface coupled to the processor and configured to provide the processor with instructions.
12. The system of claim 11 wherein the processor is further configured to request, from the client device, additional data from the remote server.
13. The system of claim 12 wherein the processor is configured to use the client device as a proxy to request the additional data.
14. The system of claim 11 wherein the client device is configured to receive the data from the remote server using a browser extension configured to transmit the data without rendering the received data.
15. The system of claim 11 wherein analyzing the data includes determining whether additional remote web content is needed to render a page.
16. The system of claim 11 wherein the instrumented virtual machine environment is configured to hook every API that can load remote web content.
17. The system of claim 16 wherein the processor is configured to interrupt an attempt to load the remote web content so that the remote web content is requested from the client device.
18. A method, comprising:
receiving, at an external scanner, from a client device, data received by the client device from a remote server and in response to a request for content made by the client device to the remote server, wherein the remote server is configured to provide a first version of the content when accessed by a client device, and wherein the remote server is configured to provide a second version of the content when accessed by an external scanner;
analyzing the data using a browser executed in an instrumented virtual machine environment;
determining a maliciousness verdict for a URL based at least in part on the analyzed data; and
providing the maliciousness verdict to the client device.
19. The method of claim 18 further comprising requesting, from the client device, additional data from the remote server.
20. The method of claim 19 further comprising using the client device as a proxy to request the additional data.
21. The method of claim 18 wherein the client device is configured to receive the data from the remote server using a browser extension configured to transmit the data without rendering the received data.
22. The method of claim 18 wherein analyzing the data includes determining whether additional remote web content is needed to render a page.
23. The method of claim 18 wherein the instrumented virtual machine environment is configured to hook every API that can load remote web content.
24. The method of claim 23 further comprising interrupting an attempt to load the remote web content so that the remote web content is requested from the client device.Join the waitlist — get patent alerts
Track US10747881B1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.